High attention point related to "Padding Oracle", reported by MobSF, when using encryption mode, "AES/CBC/PKCS7Padding", in class "StorageCipher18Implementation.java".

[kaganzdmr58]

When I analyzed the project with mobsf, it said that it found a high priority error. When I followed the error, I discovered that an old method was used in the library, can you help me to fix the error?

const AndroidOptions(
encryptedSharedPreferences: true,
storageCipherAlgorithm: StorageCipherAlgorithm.AES_GCM_NoPadding
);

I tried this but my problem still persists, i get this error from MobSf "The App uses the encryption mode CBC with PKCS5/PKCS7 padding. This configuration is vulnerable to padding oracle attacks."

[kaganzdmr58]

Error page

com/it_nomads/fluttersecurestorage/ciphers/StorageCipher18Implementation.java

StorageCipher18Implementation.java
protected Cipher getCipher() throws Exception {
return Cipher.getInstance("AES/CBC/PKCS7Padding");
}

STANDARTS
CWE: CWE-649: Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking
OWASP Top 10: M5: Insufficient Cryptography
OWASP MASVS: MSTG-CRYPTO-3

[nhan7777]

I have the same issue when scan app via Qualys

[abirajabi]

I'm also having this issue. Is there any workaround for this problem?

[ernestomar]

Possible duplicate of #526?

[juliansteenbakker]

The fix of this issue will be discussed in #769